Use the Standard Syntax for More Advanced Searches

This topic describes how to form more advanced queries using the Standard search syntax and covers the following types of search:

  • Analytic Metadata (Views)

  • Parsing Status

  • Regular Expression

  • Relationship (Family, Container)

  • Document Class

  • Email (Source, Class, Paticipants)

  • Hidden Data and Annotations

  • Language

New Projects automatically use the Standard syntax. For information about basic queries, see Use the Standard Search Syntax for Basic Queries.

Analytic Metadata Searches

Analytic Metadata Searches can be used for documents in Project Data that are indexed at the Analytic Index level (the default Indexing level), and are based on one of the following types of view:

  • Batch Views
  • Cluster Views
  • Custodian or Group Views
  • Export Views
  • Media ID Views
  • Tag Views

If a specified view name contains an allowed special character not explicitly prohibited by name validation, such as a space or parentheses (), the name must be enclosed in double quotes. As an alternative, you can escape the character.

Batch View Search

batch_view::<batch_view>

Finds documents within a given Batch view in Project Data.

batch_view::batch001

Cluster View Search

cluster_view::<cluster_view> [cluster_value [subcluster_value]]

Finds documents that reside within a Clustered view of Project Data.

The cluster_view search format requires CaseData (for example, CaseData-2) for Project Data cluster/subcluster view names.

Examples:

cluster_view:: myfolder-4-1

cluster_view:: CaseData-1-1

Custodian or Group View Search

custodian_view::<custodian_view>

group_view::<folder>

Finds documents within a Project Data-based view such as a Custodian view, or a Group view such as a Folder you created.

Examples:

custodian_view::plaintiffa

custodian_view::em*

custodian_view::"(mydr)"

custodian_view::"david white"

group_view::folder*

group_view::folder1

Export View and Export View DocID Search

export_view::<streamName>[<volumeName>]

You can search for documents in an exported stream view by using export_view:: followed by the export stream name. To search for a volume, supply the same syntax but also add a hyphen followed by the volume name (not case-sensitive).

Examples:

export_view::export1

export_view::export1-vol0001

You can also search for a document in the export view and a volume by using the variation export_view_docid:: followed by the export stream name, volume, and DocID.

The following examples show a search for a single document with an export view doc ID, and an inclusive range search for documents in the specified range of export view doc IDs. For more information about Range Searches, see Use the Standard Search Syntax for Basic Queries.

For a search using a single export view doc ID (not a range search), you can use wildcards for the different portions of the format, each separated by a - (for example, export_view_docid::*-*-DOC0000000003).

Examples:

export_view_docid::export1-VOL0001-DOC0000000003

export_view_docid::[testexportdupesvol-VOL0001-DOC0000000001~~testexportdupesvol-VOL0001-DOC0000000048]

Media ID View Search

mediaid_view::<mediaid_view>

Finds documents within a given Media ID view in Project Data.

mediaid_view::"outlook journal"

Tag View Search

tag_view:: " <tag_name_with_spaces> " or tag_view:: <tag_name>

tag_view:: any

Use the first syntax above to find documents tagged with the specified <tag_name>; use the second syntax to find any tagged documents in a view of Project Data. Tag view names are not case-sensitive, and you can use a wildcard to specify a Tag view name.

Examples:

tag_view::"Potentially Responsive" AND tag_view::*hot

tag_view::"Potentially Not Hot" AND tag_view::"Potentially Not Privileged" AND NOT music

tag_view::*not* AND legal system

tag_view::any

tag_view::savings_loan

tag_view::"(dr)"

Parsing Status Search

parsingstatus::<code_or_name>

Finds documents with a given parsing status. You can search using the 5-digit parsing code, the text, or both in the field, since the field is tokenized and is not case-sensitive. For a list of parsing codes and descriptions, see the Warnings and Errors table in View Data Set Reports

Examples:

parsingstatus::00005

parsingstatus::no*

Regular Expression Search

"## <regex>"

Finds documents matching a regular expression (pattern). You must surround the regular expression and the ## identifier preceding it with quotation marks, as follows: "## <regex>". For information about forming regular expressions, see Pattern (Regex) Syntax.

If you enclose the entirety of a regular expression in parentheses, you must leave a space before the ending parentheses (see the last example).

Examples:

"##199[0-9]"

"##\d\d\d"

"##politic(s|ian|al)"

("##politic(s|ian|al)" AND "##scien(ce|tist|tific)" )

Relationship Searches

These searches find information about both Email family (Message Attachment Group) and EDoc family (Document Attachment Group) relationships. The listed relationship operators are limited to the current view and can be used with any supported query, specified in parentheses, for content or metadata.

For data processed prior to 4.3.11.0, a token search query can be used, and must be placed within single quotes.

child_of(search_query) – Based on the results of a query, returns each immediate child, as follows:

  • The first-level attachments of Emails, both Email and EDoc attachments.
  • The first-level OLE attachments of EDocs with embedded OLEs.

Example:

child_of("golden gate")

children_of(search_query) – Based on the results of a query, returns all child-level items in the respective Email families or EDoc families, per the following logic:

  • If the results include the parent of a family, this relationship search returns all immediate (first-level) children, as well as any other children below that level (for example, secondary children).
  • If the results include one child of a family but not the parent, this relationship search would only return the child-level records attached to the resulting child.

Example:

children_of("house arrest")

family_of(search_query) – Based on the results of a query, and within the scope of the current view being searched, adds all remaining family members to their appropriate families. These are either Email families, called Message Attachment Groups (MAGs), or EDoc families, called Document Attachment Groups(DAGs). This operator will not go beyond the scope of the current view serving as the search target. For example, when searching within a current results view, the query family_of(to::barbara@myco.com) returns all documents from the result view that have barbara@myco.com in the to field, including all remaining family members in the view that don't hit on the search query. 

Example:

family_of(from::bob@myco.com)

parent_of(search_query) – Based on the results of a query, returns each immediate parent, as follows:

  • The immediate Email parent of an Email or EDoc attached to an email. If the Email parent is itself attached to another Email, the top-level Email is not necessarily returned, depending on the results.
  • The immediate EDoc parent of an embedded OLE attachment, in both Email and EDoc families where the OLE exists. If the OLE is part of an Email family, the top-level Email containing the EDoc with the OLE attachment is not necessarily returned, depending on the results.

Example:

parent_of(author::"john smith")

root_of(search_query) – Based on the results of a query, returns the top-level parents of both Email families (MAGs) and EDoc families (DAGs).

Example:

root_of(subject::"patent pending")

Document Class Search

docclass:: <class>

Finds all documents of one of the following classes.

  • Message (for email messages)
  • Message_Attachment (for email attachments)
  • Message_OLE_Attachment (for embedded files extracted from a Message_Attachment or another Message_OLE_Attachment). These are listed in the Index.
  • EDoc (for files that are not email, any type of attachment, or any type of archive/disk image)
  • EDoc_OLE_Attachment (for embedded files extracted from an EDoc or an EDoc _OLE_Attachment). These are listed in the Index.
  • Message_Archive (for email archives)
  • Archive (for compressed files or file archives, such as RAR, TAR, ZIP)
  • Disk_Image (for disk images such as EWF)
  • Directory (for imported directories)

This field is not case-sensitive for the purposes of search, but it is not tokenized, so you must either specify the entire name of the class or use wildcards.

Examples:

docclass::edoc

docclass::edoc_ole*

docclass::message_ar*

docclass::message_attach*

docclass::directory

Email Searches

These searches find all email documents in a category -- source type, message class, or number of unique participants.

Email Source

msgsource::<email_source>

Finds all documents from one of the following email message source types:

  • Lotus_Notes (email and items extracted from Lotus Notes NSF)
  • Outlook (email and items extracted from Microsoft PST/OST))
  • Bloomberg (for loose emails identified as Bloomberg messages from Bloomberg archives)
  • Bloomberg_IB (for Instant Bloomberg messages)
  • MBox (for emails from RFC 822 Mailboxes)
  • Cellebrite (for emails representing Cellebrite items such as Instant Messages)
  • msg (for loose MSGs)
  • eml (for loose EMLs)

This field is not case-sensitive for the purposes of search, but it is not tokenized, so you must either specify the entire name or use wildcards.

Examples:

msgsource::lotus*

msgsource::bloomberg*

msgsource::outlook

Email Class

msgclass::<email_class>

Finds email items of one of the following email message classes:

  • email
  • calendar (Calendar items)
  • calresponse (Calendar response emails, to decline, accept, or tentatively accept meeting requests)
  • contact (Contacts)
  • distlist (Distribution Lists)
  • journal (Journal entries)
  • note (MS Outlook Sticky Notes)
  • todo (Tasks)
  • unknown (applies to unsupported and unknown Lotus Notes items that have a parsing status of 00043 UNSUPPORTED_LOTUS_NOTE or 00044 UNKNOWN_LOTUS_NOTE)

This field is not case-sensitive for the purposes of search.

Examples:

msgclass::calendar

msgclass::journal

msgclass::calresponse

Email Participants

Use the numemailparticipants metadata field along with specified participants to limit a search to only those unique email participants, based on information in the to, from, bcc, and cc fields.

Example:

from::jross AND to::jjones AND numemailparticipants::2

Hidden Data and Annotations

These fields search hidden data or document annotations. You can search any part of these tokenized fields, which are not case-sensitive for the purposes of search.

  • hiddendata::<hiddendata_terms> searches the following types of hidden data: Excel_Hidden_Columns, Excel_Hidden_Rows, Excel_Hidden_Worksheets, Excel_VeryHidden_Worksheets, Powerpoint_Hidden_Slides,and Word_Hidden_Text.
  • docannotations:: <docannotations_terms> searches the following types of document annotations: Excel_Auto_Filter, Excel_Comments, Excel_Protected_Worksheets, Excel_Protected_Workbook, Excel_Track_Changes, Pdf_Comments, Word_Comments,and Word_Revisions (to flag edits, even when track changes is disabled), PowerPoint_Comments, or PowerPoint_Notes. As of 5.4.2.0, this field supports Microsoft Office documents that contain Modern Comments and can contain the appropriate value (Excel_Comments, PowerPoint_Comments, or Word_Comments).

Examples:

hiddendata::power*

docannotations::pdf*

hiddendata::excel

Language Search

Finds documents containing the specified language or documents for which the specified language is the dominant language.

language::<language_code>

dominantlanguage::<language_code>

Examples (for Chinese and Japanese, respectively):

language::zh*

dominantlanguage::ja

Supported Languages for Language Detection provides a list of the supported languages and their letter codes.